The purpose of this article is to assist in addressing 403 errors or receiving empty 200 responses when integrating OAuth for Org2Org provisioning. For example, making calls to endpoints like api/v1/users or api/v1/apps could lead to either a 200 empty response or a 403 error, and this article aims to provide solutions for such scenarios.
- Org2Org with OAuth 2.0 provisioning
- API Service app
The API Service app created for the OAuth 2.0 provisioning integration is not assigned sufficient admin roles. The admin roles (assigns permissions and sets it while the API Scopes) are operations that can be performed on above permission/sets so the admin roles should have enough permissions for the scopes provided. The API scopes determine the action that can be performed like manage users, read apps and the admin role determines upon which resources an action can be performed.
Assign the API Service app an admin role through the Admin Console:
- Applications > Applications > Choose the API service app.
- Click on the Admin Roles tab.
- Assign both the Group Administrator and Group Membership Administrator roles to the app.
- Ensure that consent is granted for the API scopes that enable the service app to create new users and manage user profiles and credentials, okta.groups.manage and okta.users.manage.
More details on how to set up this integration can be found in the Related References.
Related References
- Integrate Okta Org2Org with Okta | Okta Docs - This guide walks through how to configure the app and the provisioning integration in the Admin Console UI.
- Secure API connections between orgs with OAuth 2.0 | Okta Developer - This guide walks through how to configure the app and the provisioning integration via our public APIs.
